Security optimize

Selling or donating equipment? Don't forget to wipe it clean

Patrick Lambert reminds IT pros about the importance of securely wiping hard disks clean, especially if you're in the process of disposing, selling, or donating old computers and other devices.

Now that 2012 is getting closer, and the end of the world may be close by (or not), it's time for a public service notice that everyone should keep in mind -- something that's been said before, but bears repeating. You too can help prevent the apocalypse, at least for your own private data, or your corporate data, before computer systems or any type of memory gets passed to the wrong hands. Just this month, we learned that a large computer store, Staples, was still selling used computers without clearing the previous data on their disks. The thought that to this day, this basic precaution wouldn't be taken, can be quite shocking. If such a high-volume store can make this mistake, anyone can. Of course, as IT pros, we'd never think about selling a used system that contains confidential information. Well, that is, unless we forget; hence, the reminder. If one of your end-of-year tasks is to inventory and get rid of old equipment, here are a few tips.

Securely wiping computer hard drives

It doesn't take much to recover deleted data. Let's not forget that when something like a file gets deleted on a modern operating system, the only item that is truly wiped is the file descriptor at the front of the disk. The actual file remains intact, until something else comes along and overwrites that data. And with the sizes of disks today, that may take a long time to happen. Dragging a document to the recycle bin has no impact on the actual data on the disk, and there are dozens of tools out there that can bring a file back to life, using all sorts of techniques, from simple ones like undeleting the file, to complex forensic software that can piece together a document that has been partially overwritten. Some people have a lot of time on their hands, and access to all of these programs, which is why a complete disk wiping is crucial.

Since simply deleting the file won't do, you need special software that you can use on any disk that may be going out of your hands, such as when your business changes its PCs, and sells the old ones off. A favorite for years now is Disk Boot And Nuke, or DBAN, which has helped clean up disks for many years now. Since then, many more programs have appeared, and certainly you can find dozens with a quick Google search. They all operate fairly similarly. The idea is to overwrite the whole disk with random data, and to do it several times. The reason is because of residual data, which can leave just enough information for the bad guys to get those confidential documents back. Each hard drive maker also provides a utility to do a clean disk wipe, which can work well if you want a free alternative. Most of these programs will allow you various levels of erasure, and usually you should make sure the disk gets completely overwritten at least three times.

Don't forget the flash drives

So now that you know what it takes to safely wipe a disk, and you remember to actually do it for every system you're about to ship off, you can feel secure that your computers won't leak out secret information. Remember that even if your department knows what to do, if you're in a large company and several departments have the authority to sell off used equipment, they must all adhere to this policy. Once that's done however, there are still a few places that can easily be forgotten. The first one is flash drives. Those aren't often sold, usually they are used until they die and then thrown away. But a dumpster diver can easily recover them, and the same tools can be used to retrieve documents from them. For any kind of flash media, you can use one of the tools made especially for this type of media, like Roadkil DiskWipe, which will perform a similar function, wiping the data completely by overwriting it. This can work for any media that has a drive letter, and should be done before you throw away any old SD card or thumb drive.

Smartphones and tablets

Finally, there's the issue of data contained on other devices, such as smartphones and tablets. There really isn't any standard for secure deletion from those items, and it can be a challenge to transfer them securely. At a minimum, you should do a factory reset, but someone could still hack into the phone, root it, and recover the data. You could always store old phones in a drawer and not sell them or throw them away, but that may end up taking a lot of room. When there's no obvious solution, there's always the more brutal, physical way to deal with the problem, by using a magnet, or simply destroying the device, making it physically impossible for any data to survive. This can be somewhat costly however, and that's where you need to decide how crucial your smartphone data really is.

We all know the risks of sending off used computing equipment outside the corporate firewall, and the need for wiping out old data, but it can be daunting to realize just how many devices we have in our possession that contain sensitive information, and how hard it is to safely wipe every bit of data on every type of device out there. Still, by knowing the problem, we can keep this in mind, and apply proper protocols that will ensure a minimum of risk.

Do you have favorite tools or methods for secure data deletion? Share them with us below.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

23 comments
ricardoc
ricardoc

With today's cost for hard drives (specially before the floods in Thailand), physically destroying the old ones and getting new ones is like buying cheap insurance. How do we do it? We melt the plates with a torch; of course we use safety masks to avoid the fumes. Overkill? Sure, but completely secure also.

Rick_R
Rick_R

Of course there will be companies that insist on donating computers. Years ago (around 2000) a guy at our church got a "generous" donation of 10 out-of-service computers from a local company. We found out it was far from generosity. For accounting purposes the computers had been fully depreciated, which meant they had $0 value on the books. Of course, they had wiped the disks, which meant no operating system. Plus, the equipment was more than 3 years old and hence anemic by the standards of the day. (Granted, today even a 5-year old computer can handle most users' needs.) It would have cost us about $200 PER MACHINE to install Windows. The church wound up simply junking the machines. What we realized was that rather than paying someone to come and take the computers, they just put them in a storage room, knowing that (as a fairly big company) sooner or later someone would ask for a charity donation. They could "generously" donate TEN computers rather than pay ANY money. The recipient would put in the necessary time and expense to cart off the computers. Either some volunteer would (illegally) install one copy of Windows on all 10 computers or the computers would end up junked. Either way, the company would get rid of the computers, look like "a good corporate citizen" and it wouldn't cost them ANYTHING. (Back then, using Linux really wasn't an option. Aside from the fact that it "wasn't ready for prime time", equipment (among other things) at churches and many charities is often installed and maintained by volunteers with very limited tech knowledge.)

Regulus
Regulus

If you have sensitive stuff on a unit, pull the drives and physically destroy them. They just don't cost that much even with today's temporarily elevated prices. Otherwise, remember the old song, 'Fdisk, Format, Reinstall'? Still good advice - but one step further, reinstall with UBUNTU Linux. The receiver will get a top OS complete with a full set of programs & utilities that are NOT your licensed versions. All this at virtually no cost. Best wishes.

michael
michael

HDDErase by the Center for Magnetic Recording Research (CMRR) utilizes the secure erase command which has been built in to the firmwware of every ATA drive for the last 10 years. An interesting PDF file available on the site reviews the various methods of erasing hard drives, and states that using the ATA firmware's built-in secure erase command is much more secure than programs that use DoD 5220 Block Erase (which would include most secure erase programs out there). It also runs much faster than block erase programs. It requires you to make a bootable DOS floppy or CD and run the HDDErase program under DOS. CMRR is located at the University of California - San Diego, and apparantly received funding from the National Security Agency to research this issue and deveop the program. The Readme file states that NSA support has ended, so I don't know if the program will be further updated (latest version is from 2008). http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml -Michael

benbritt
benbritt

We have a VHS tape degausser that works fine. Shaped like a small iron, 2-5 seconds near a drive, all done. Of course the drive needs a deep level format to use again.

andinator222
andinator222

DBAN stands for "DARIK'S Boot And Nuke", not "DISK Boot and Nuke". (http://www.dban.org/download) I have been using it over one decade.... If I were Darik, I would not be too happy about being left out of the title, especially after all the hard work he has put into such an awesome disk wiping software....

thegreenwizard1
thegreenwizard1

and the disk as nice little round mirror for feng shui. So no problem about retrieving old datas.

bus66vw
bus66vw

Don't forget to look in the copier's tray for last copied pages. On the old computers remember to check the DVD and CD drives for the last run media. All the clean up may cost but if your company is not careful on the disposal end they may have wasted all the money spent on security end.

Rob C
Rob C

You make no mention of HPA When the police raid suspected criminals (for any type of crime), they are always seen carrying out the residents PCs and hard drives.

BALTHOR
BALTHOR

Some programs might ruin only on that old computer.In the future you'll need that one.Put them in plastic bags and store them away.It might be the same for replaced parts.That box is filled with CD writers that went bad.I'm not too sure that hard drive erasing is enough.I suspect that the CPU might hold a recording of everything that was ever done in the computer.

muttjp
muttjp

We actually just physically destroy our hard drives, and then we know that the data can't be accessed.

chrisbedford
chrisbedford

Not just pretty shiny discs, they also "ting" sweetly. You have to be a bit creative about how to hang them without making an awful ugly contraption that your wife / GF won't have around the house tho' ;-)

emcas
emcas

Just have a vm for any old programs that don't run - or find a newer alternative that will probably do more too (not always applicable). As for the CPU holding a recording, it doesn't so there's no need to worry. Wiping the drive to the relevent government standard will be fine, possibly even overkill.

OakvilleMyKey
OakvilleMyKey

The CPU doesn't hold a recording. Not sure what the rest of your response means. I don't think that it is in response to the actual article.

tommy
tommy

We do too. Don't mind the rest of the chassis going to a good cause, but the HDD gets shredded, and I get a certificate - and a little bag of the chipped drive - to prove it's been done.

watsonderekj
watsonderekj

Using a hammer to destroy hard drives is fun and a great way to burn off some stress. Nothing better than taking something bright and shiny and making it into nice little bits!

jhend91
jhend91

Using a 7.62 is fun also!

jbelgarde
jbelgarde

I like using my splitting maul. Put the drive on a chopping block and a 15 lb maul does a wonderful job of relieving past stress.